Windows 2008 R2 Active Directory introduces the Recycle Bin option. If you deployed Windows 2008 R2 or upgraded your domain to the Windows 2008 R2 schema and you think the recycle bin is active, you are wrong. You have to specifically enable the recycle bin feature.

So upgrade your forestlevel and run the following command within a poweshell console:

Note: Indeed the above command is a powershell command, also a new feature in Windows 2008 R2, Active Directory powershell.

So what does the above mentioned command do: If you delete an object from this point onwards the object does not get tombstoned and stripped from most attributes but it will be transformed to a recycled-object. Link valued attributes are maintained both from and to the deleted object. This was not possible in the previous versions of the schema.

So we have a user with several attributes setup, called John Doe:

He has several options set, like streetaddress, loginscript etc. He is also a member of the group Group1. And now we delete the user from the ADUC command console.

If we want to look at the deleted object the old way of searching for it does not work anymore (http://support.microsoft.com/kb/258310) . Instead there is a hidden container called: CN=Deleted Objects, DC=<domain>.

We can retrieve this container using ldp.exe. Start LDP.exe and create a connection to the AD server. Bind using current credentials and select Options and select Controls. In the load predefined option select Return Recycled Objects. Then select view tree. Enter: CN=Deleted Objects,CN=<domain> and click OK.

Now we see the deleted John Doe object and on the right the attributes that are usually deleted.

There are multiple ways to restore the userobject. It is possible via the LDP console by removing the TRUE value of the isDeleted attribute (click modify on the object and select edit, in the attribute field type isDeleted, leave the value option empty and select Delete under Operation and hit enter. In the attribute field type distinguishedName and type the DN in the value field, under operation select Replace).

However you might find it easier to use the new poweshell commandlets, first to find the deleted object(s).

Get-AdObject –Filter {displayname –eq “John”} –IncludeDeletedObjects

To restore, simply pipe the above mentioned command to the restore command: Restore-ADObject

Off course it is also possible to restore entire OU’s and the objects beneath it..

[update]

So many wonder how the group membership of users are restored during the reanimation (or restoring) of a recycle bin object.. (aswell as other backlinks).. It seems the backlinks are not deleted as they normally would have been. Although the forward link (Group Member) is deleted, the memberOf attribute (back-ward link) is not. Or in Microsoft terms:

We simply added a taxonomy to the link table which gives us the ability to preserve the link data while deactivating the link when an object is deleted.

To view the MemberOf of a deleted object you can use a powershell commandlet that Ned Pyle gave to me: